I'm scratching my head about this question... I have a debian squeeze machine that is connected to an internal lab network. We have a lot of machines that have default proxy-arp configurations on them, and occasionally one of those machines starts hijacking a lot of lab addresses.

After resolving the latest Proxy-ARP incident which brought down most of our lab, I found a few residual entries like this in /var/log/syslog (below). For those not accustomed to reading arpwatch logs, the machine that owns 00:11:43:d2:68:65 is fighting with 192.168.12.102 and 192.168.12.103 about who owns those address.

The very alarming thing is that 00:11:43:d2:68:65 belongs to the same machine I was running arpwatch on... First, I validated that /proc/sys/net/ipv4/conf/eth0/proxy_arp is 0. Next, I used tshark to validate that my machine really is spoofing ARPs to others...

The facts are undeniable. I have a debian box that is spoofing ARPs and I have no idea why. I am the only user on this machine, I run fail2ban to prevent brute-force attacks, and it's on an internal lab network behind a door that requires a badge for entry; I highly doubt it has been hacked.

Three questions...

First, is there any cause I may have missed? What steps should I use to isolate whether this is an application or kernel problem?